Big Bad Virus?

[xenxes]

Usually viruses I come across are a breeze, run a scanner delete processes and they go away, never had to reformat... I thought I'd ask around before I end up formatting ALL of my hard drives and start over. Recently I've been getting a few very serious symptoms on my machine running XP S2:

Symptoms:

1) Majority of executables have bytes appended to them, i.e.
a) download via firefox, executables become larger after downloaded
b) download via bittorrent, executables become corrupt mid-download, file size larger than normal
c) extract an executable, file size becomes larger than normal, usually by ~7168 bytes
d) change .exe to something else in archive, extract, file size is the same, rename to exe, file size increases

2) DEP comes up for way too many programs, including Microsoft ones
a) when I login, userinit is prevented by DEP, I ctrl-alt-delete, task manager is prevented by DEP
b) I have to leave the DEP warning window open and eventually get task manager to run, then run explorer multiple times all the while DEP is spamming me with warnings
c) I end task for dumpprep and the warning window, it eventually goes away, Windows behaves normally after


Tried:

1) Failed System Restore
2) ComboFix, nothing
3) HiJackThis, I eliminated all the suspicious processes, I get the eerie feeling that whatever this is attached itself to known processes
4) Complete in-depth scan of all HDs with ESET NOD32 on the latest virus DB, found nothing
5) Chkdsk did nothing


You know, at first I thought whatever this was was neat, now it's just freaking me out. Any ideas?

 

[xenxes]

Thought I'd post my HJT log, seems pretty clean to me.

Logfile of HijackThis v1.99.1
Scan saved at 12:31:44 AM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [egui] "C:\Program Files\Eset\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /M "Stylus CX3800" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\Eset\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - Eset - C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

[TVDinners]

I got a virus just like that 3 weeks ago from a downloaded file, couldn't open msconfig and dep kept coming up. Over 300 executables were overwritten with about 7k added to each one. I'm sure it actually hijacked my antivirus as well. I ended up booting into safe mode with network support. Reinstalled my anti virus, updated it and another version as well, did both scans. It cleared many of them, but after booting normally, the av kept finding them. it was overwhelming on my system. I finally formatted and reinstalled.

 

[xenxes]

Okay I tried installing NOD32 and AVG through Safe Mode, won't let me. What's funny is that I'm now installing via CD/Locked USB Drive and I get a warning message of not being able to WRITE to it every time I execute, so I know for a fact it's overwriting/appending bytes to my executables upon runtime/rename, even in SAFE MODE! and Safe Mode crashes a lot now.

This sucks. I have 3 hard drives with potentially infected executables.

I guess next I'll try to scan this computer via my laptop through a network connection... lol watch my laptop get infected too

*edit: nevermind I think I found out what it is..
http://www.bitdefender.com/VIRUS-1000163-en--Win32.Virtob.

or some variation of it, BD is just deleting every infected file w/o asking me, ugh, might as well as just reinstall. Pretty nasty, attaches to WINLOGON.

 

[xenxes]

So.. an update...

BD Alias is Win32.Virtob.BQ which infected EVERY .EXE FILE on ALL DRIVES, there were also a few Generic.Virtob.????s floating around. A few of my system restore exes are also infected with Trojan.Runas.D, Trojan.Downloader.Agent.ECZ, Trojan.Downloader.JJAJ, Trojan.Dropper.RKW. Selected .HTML and .PHP files were also infected. None of the files are disinfectable.

Programs Tried: AVG, BD, Dr.Web CureIt, NOD32, Kaspersky - only BD detects my variation "Win32.Virtob.BQ" and just deletes them, everything else can't even detect it.

So far 7000+ infected files and still searching. Going to at least delete all infected files before I format my OS partition and reinstall...

More info here: http://www.bitdefender.com/VIRUS-1000163-en--Win32.Virtob

Awesome.